A report published by leading independent consumer body Which?, reveals serious questions about the cyber security of ‘connected cars’ and the need for more regulations. Research was carried out on behalf of Which? by Context Information Security and identified serious security, data privacy and safety concerns in two of the most popular European car brands.

The investigation looked at the Ford Focus Titanium Automatic 1.0L Petrol and a Volkswagen Polo SEL TSI Manual 1.0L Petrol - both packed with some of the latest consumer car technology. While the cars proved more difficult to hack into than many connected products, Context researchers managed to find weaknesses in the cars’ security designs and were even able to identify what is suspected to be a Wi-Fi password from Ford’s manufacturing plant.

The research focused on infotainment systems, mobile applications, radio frequency systems – such as keys fobs for entry and ignition, and tyre pressure monitoring systems – as well as the Controller Area Network (CAN) used for communications between different vehicle components. While the full disclosure process is still being worked on with Ford and VW, these are some of the key findings of the investigations.

Context researchers found that the firmware on each of the two cars’ infotainment systems suffered from common issues such as outdated third-party software libraries and unsafe native code functions. And while both systems employed the use of electronic signatures to prevent unauthorised adding of custom code, it was possible to work around these on the VW system. The firmware for the Ford’s infotainment system, meanwhile, revealed full details of Wi-Fi network credentials that appears to be used at a number of its assembly plants.

The Context researchers then turned their attention to the CAN bus networks of the Focus and Polo cars. The Ford utilises separate CAN buses with good logical-data-separation between those used for different purposes, however, the infotainment (SYNC) unit was found to be connected to three separate buses, including the powertrain. This means that any successful attack on the infotainment unit could potentially give access to engine controls. The VW has five CAN buses with less well-thought-out separation. One bus is readily accessible from outside of the vehicle via the radar module, located behind the VW logo and can easily be removed with a screwdriver.

When it came to RF (radio frequency) systems, Context looked at both of the cars’ remote-control key-fobs. By monitoring typical radio frequencies used to broadcast keys to vehicles, the signal to the VW was able to be identified, without decoding, which suggests that the manufacturer doesn’t view the locking system as a significant target. Further investigation revealed the ability to both prevent reception of the signal by the car - essentially locking the user out - and to capture and replay signals, to gain entry later.

The Ford uses a more advanced ‘passive key’ with two-way communication between fob and car, allowing the user access without having to press a button, as long as they are nearby; this kind of system is increasingly found on modern cars, and is the subject of well published Relay Attacks. Again, minimal security was found on the transmissions from the key and prevention of the start-up ignition was possible, by blocking active signals from the key fob for authorisation. Both attacks were relatively straightforward and could be undertaken using off-the-shelf commercial equipment for under £200.

Following the investigation, Which? contacted both Ford and VW to let them know about the security problems identified. While VW was happy to accept the findings and have proactively worked with both Which? and Context to understand the issues, Ford has not yet accepted delivery of Context’s technical report.

“While it is reassuring to see that connected cars don’t have the same lack of security found in other connected products we have tested, it is clear that our investigations raise some serious concerns,” said Perry Barlow, project manager at Context Information Security. “As cars become increasingly like computers on wheels and provide complete autonomous driving in the near future, with interaction with other vehicles or highway infrastructure, manufacturers need to be very careful about designing-in strong cyber-security measures.”

Andrew Laughlin, Which? principle researcher, commented: “The UK government is working on new legislation for connected cameras, toys and other products with poor security standards. Yet it appears that the car industry has largely been left to create effective security measures on its own. That’s a risky approach.”

There is emerging, published, guidance for assessment of cyber security and cyber risk in vehicles, such as SAE J3016, but it will be some time before this is fully adopted or mandated. Until then, modern vehicles could increasingly become a target for cyber attacks, unless the flaws are identified and addressed through studies such as this.